Data Protection and Cybersecurity Legislation of the Russian Federation in the Context of the “Sovereignization” of the Internet in Russia

Shcherbovich, Andrey

doi:10.1007/978-3-030-56405-6_3

CyberBRICS pp 67-131 | Cite as

Data Protection and Cybersecurity Legislation of the Russian Federation in the Context of the “Sovereignization” of the Internet in Russia

Authors
Authors and affiliations

Andrey Shcherbovich

Chapter

First Online: 05 January 2021

108 Downloads

Abstract

This chapter discusses Russian governmental attitudes for regulation and governance of the Internet in terms of cybersecurity and, particularly, data protection. The analysis of these areas is extremely important for understanding the entire Internet governance framework in Russia.

This is a preview of subscription content, to check access.

Annex

Country Report: Russia

1. Data Protection

Scope

1. What national laws (or other types of normative acts) regulate the collection and use of personal data?

Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated July 26, 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated July 27, 2006, establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions, which implement the data protection rules in relation to specific areas of state services or industries.

Russia // Data protection laws of the world. DLA Piper Intelligence. URL: <https://www.dlapiperdataprotection.com/?t=law&c=RU>.

2. Is the country a part of any international data protection agreement?

Convention on the protection of individuals in the automated processing of personal data. Concluded in the city of Strasbourg on January 28, 1981 (together with the Amendments to the Convention on the Protection of Individuals with the Automated Processing of Personal Data (CETS No. 108), allowing the accession of the European Communities adopted by the Committee of Ministers in Strasbourg on June 15, 1999). This document entered into force on October 1, 1985. For the Russian Federation, this document entered into force on September 1, 2013.

Source: “Consultant Plus” Legal Reference System.

3. What data is regulated?

Personal data is information, i.e. messages or data regardless of the form of their representation”. The form of displaying information does not matter: it can be information in text, graphic and sound form or perceived by a person or device. The carrier of such data is also irrelevant: they can be recorded on paper, in another analogue form (e.g. on videotape) or exist in electronic form.

The information must have a certain relationship with an individual. Such an attitude may occur in cases where such information:

1)

By virtue of its content concerns a certain person
2)

Has as its purpose an assessment of a person’s activities or may affect the status of such a person, including by making any decisions in this regard
3)

Is of a technical nature (e.g. data of devices used by an individual) and is used for technical purposes but can, if desired, be used by the operator for purposes that have an impact on the rights and obligations of the individual

Information relates directly or indirectly to a particular or designated person, i.e. possesses certain identifying potential.

If the data makes it possible to single out an individual from a variety of persons and use his particular interaction model with respect to him, then that person is definable, and the corresponding information is his personal data.

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

4. Are there any exemptions?

The Federal Law on Personal Data does not apply to relations arising from:

1)

The processing of personal data by individuals solely for personal and family needs, if this does not violate the rights of the subjects of personal data
2)

The organization of storage, acquisition, accounting and use of documents containing the personal data of the Archival Fund of the Russian Federation and other archival documents in accordance with the legislation on archives in the Russian Federation
3)

The processing of personal data assigned in the prescribed manner to information constituting state secrets

The Law on Personal Data does not apply to storage and other types of processing of unsystematized personal data, even if subsequent access by third parties is possible.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”; Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

5. To whom do the laws apply?

The legislation on personal data applies to all entities that process personal data. Federal government bodies as well as government bodies of constituent entities of the Russian Federation can process personal data. Local governments and municipal bodies that are not part of the system of local governments carry out the processing of personal data.

If legal entities process personal data, they are also subject to the law on personal data.

Under the individuals processing in the framework of the legislation on personal data are citizens who carry out business activities without forming a legal entity, from the moment of state registration as an individual entrepreneur. Individuals engaged in the processing of personal data may also include attorneys, notaries and heads of farms.

Kukharenko, T.A. Commentary to the Federal Law of July 27, 2006 No. 152-Ф3 “On Personal Data” (itemized) “Consultant Plus” Legal Reference System, 2011.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

Even if a foreign company conducts its business through the Internet without a physical presence in Russia, data protection requirements may apply to such a company. The main criterion is that activity of such a foreign company is directed to the territory of the Russian Federation.

According to the Ministry of Communications and Mass Media, the use of a domain name associated with the Russian Federation (.ru, .рф., .su, .москва., .moscow и т.п.) may indicate the focus of activity on the territory of Russia as well as the presence of the Russian-language version of the Internet site, created by the owner of such a site or on his behalf by another person, except for the function of an automated translation.

Additional criteria are the ability to make payments in Russian roubles, the ability to deliver goods, provide services or use digital content in Russia, as well as other cases of contract execution in the Russian Federation, the use of advertising in Russian, referring to the corresponding Internet site, and other circumstances that clearly indicate the intention of the owner of the website to include the Russian market in their business strategy.

Zherdina S. Localisation of personal data of Russians for foreign companies // EZh-Yurist. 2017. N 45. p. 5.

Definitions

7. How are personal data defined?

Personal data – any information related to directly or indirectly determined or determining individual (subject of personal data).

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

8. Are there special categories of personal data (e.g. sensitive data)?

Article 10 of the Federal Law “On Personal Data” defines that special categories of personal data include data relating to race, nationality, political opinion, religious or philosophical beliefs, health and intimate life. Giving special categories of personal data a special status is due to the possibility of the occurrence of particularly negative consequences for the subject upon their disclosure or other unauthorized use. Such consequences can be expressed not only in risks to the life and health of a person but also in discrimination, the impossibility of exercising basic constitutional rights to work, education, freedom of conscience, holding assemblies, etc.

According to Article 11 of the Federal Law “On Personal Data”, biometric personal data includes information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which are used by the operator to identify the subject of personal data. The sensitive nature of biometric data and the impossibility of their “replacement” in the event of a compromise due to their inseparable connection with the person determine the special order of their processing.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

9. How is the data controller and the data processor/operator defined?

Operator is a state body, municipal body or legal or natural person, independently or jointly with other persons organizing and (or) processing personal data as well as determining the purposes of personal data processing, the composition of personal data to be processed and actions (operations) performed with personal data.

This definition is in fact a borrowing of the provisions of Directive 95/46/EC of the European Parliament and of the Council of the European Union on the protection of individuals in the processing of personal data and on the free circulation of such data, which became invalid due to the adoption of the GDPR.

It differs from the definition contained in the 1981 Convention, which uses the concept of the controller of the file, defined as “an individual or legal entity, state authority, institution or any other body competent in accordance with domestic law decide what should be the purpose of an automated data file, which categories of personal data should be stored or which operations should be performed with them”.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

10. What are the data protection principles and how are they defined?

1.

The processing of personal data must be carried out in a lawful and fair manner.
2.

The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
3.

It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.
4.

Only personal data is processed that meets the purposes of processing it.
5.

The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing.
6.

When processing personal data, the accuracy of personal data must be ensured, its sufficiency and, if necessary, its relevance to the purposes of personal data processing. The operator must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data.
7.

The storage of personal data should be carried out in a form that allows determining the subject of personal data not longer than the purpose of processing personal data unless the period for storing personal data is established by federal law, an agreement to which the subject of personal data is a beneficiary. The personal data to be processed shall be destroyed or depersonalized upon the achievement of the processing objectives or in case of the loss of the need to achieve these objectives unless otherwise provided by federal law.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

11. Does the law provide any specific definitions with regard to data protection in the digital sphere?

Automated processing of personal data – processing of personal data using computer technology.

Personal Data Information System – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

The user of an information system of personal data is a person participating in the operation of an information system of personal data or using the results of its operation.

Under the technical means that allow for the processing of personal data, it refers to computer equipment, information and computer systems and networks, means and systems for transmitting, receiving and processing personal data and information protection tools used in information systems.

The system for the protection of personal data includes organizational and (or) technical measures determined to take into account the current threats to the security of personal data and information technologies used in information systems.

Actual threats to the security of personal data are understood as a set of conditions and factors that create an actual risk of unauthorized, including accidental, access to personal data when they are processed in an information system, which can result in the destruction, alteration, blocking, copying, provision, dissemination of personal data as well as other illegal actions.

Federal law of 27.07.2006 N 152-FZ (as amended on 12/31/2017) “On personal data”; Government Decree of 01.11.2012 N 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems”; “The basic model of threats to the security of personal data when they are processed in personal data information systems” (Extract) (approved by the Federal Service for Technical and Export Control on February 15, 2008).

Rights

12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

Initially, provisions relating to the protection of the rights of citizens in the field of personal data were reflected in the Universal Declaration of Human Rights adopted by the UN General Assembly on December 10, 1948. Later they were developed and reflected in the 1981 Convention ratified by the Russian Federation in 2013. The legislation of the Russian Federation in the field of personal data generally repeats the main provisions of the above international acts.

In Art. 23 of the Constitution of the Russian Federation, it is established that everyone has the right to privacy, personal and family secrets, protection of their honour and good name, the right to privacy of correspondence, telephone conversations, postal, telegraph and other messages. Restriction of this right is allowed only in exceptional cases provided by law.

Federal Law “On Personal Data”: scientific and practical commentary (article by article) / A.Kh. Gafurova, E.V. Dorotenko, Yu.E. Kontemirov and others; by ed. A.A. Priezhzheva. M.: The editors of “Rossiyskaya Gazeta”, 2015. Vol. 11. 176 s.

13. What are the rights of the data subjects according to the law?

The right to receive information on the processing of his personal data.
The right to clarify the personal data processed by the operator.
The right to block personal data.
The right to demand the destruction of data.
The right to take measures prescribed by law to protect their rights.
The right to appeal the actions of the operator to the authorized body.
The right to the processing of personal data in order to promote goods, works and services on the market by making direct contacts with a potential consumer using means of communication as well as for the purposes of political agitation only with the prior consent of the subject of personal data.
The prohibition to make decisions on the basis of automated processing of personal data, generating legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

Obligations and Sanctions

14. What are the obligations of the controllers and processors/operators?

Obligation to ensure the confidentiality of personal data – the prohibition to disclose personal data to third parties without the consent of the subject.

Obtaining the consent of the subject of personal data (when there are no other conditions for their processing) in a form that provides the opportunity to prove the fact of obtaining consent or in written cases in certain cases provided by law.

Publication of the privacy policy or other document defining its policy in relation to the processing of personal data, and information about the implemented requirements for the protection of personal data, as well as providing access to the specified document using the appropriate information and telecommunication network.

Publication of local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and elimination of the consequences of such violations.

Notification of Roskomnadzor prior to the processing of personal data.

Ensuring the security of information systems and the necessary level of personal data security.

Appointment of the person responsible for the processing of personal data (for operators who are legal entities).

Ensuring the impossibility of unauthorized access to the material carrier (except for paper media and carriers within the operator’s information system) of biometric personal data.

Ensuring the preservation of personal data of citizens of the Russian Federation in Russia.

Ali M. Personal data: duties and responsibilities of the operator // EZh-Lawyer. 2017. N 12. P. 5.

15. Is notification to a national regulator or registration required before processing data?

The operator, prior to the processing of personal data, is obliged to notify the authorized body for the protection of the rights of personal data subjects about their intention to process personal data, except in the special cases.

The operator has the right to carry out the processing of personal data without notifying the authorized body for the protection of the rights of personal data subjects:

1)

Processed in accordance with labour laws
2)

Received by the operator in connection with the conclusion of the contract to which the subject of personal data is a party
3)

Relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization
4)

Made by the subject of personal data publicly available
5)

Including only surnames, names and patronymic of personal data subjects
6)

Necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located or for other similar purposes
7)

Included in the information systems of personal data, which in accordance with federal laws have the status of state automated information systems, as well as state information systems of personal data created to protect the security of the state and public order
8)

Processed without the use of automated means
9)

Processed in cases stipulated by the legislation of the Russian Federation on transport security

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

16. Does the law require privacy impact assessment to process any category of personal data?

The operator is obliged to take measures necessary and sufficient to ensure the performance of their duties. Such measures include an assessment of the harm that may be caused to personal data subjects in the event of a violation of the Federal Law “On Personal Data”, the ratio of the said harm and the measures taken by the operator to ensure the fulfilment of duties provided for by the Federal Law “On Personal Data”.

The main goal of such an audit is to analyse the effectiveness of organizational and technical measures taken to protect the processed personal data in order to minimize possible harm. The order and frequency of such an audit are determined by the local act of the operator.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

17. What conditions must be met to ensure that personal data are processed lawfully?

The processing of personal data is permitted under the following conditions:

1)

Processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.
2)

Processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or the law for the implementation and fulfilment of the functions, powers and duties assigned by the legislation of the Russian Federation to the operator.
3)
Processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings and proceedings in arbitration courts.
1. 3.1)
  
  Processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings.
4)

Processing of personal data is necessary to fulfil the powers of federal executive bodies, state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local governments and the functions of organizations involved in the provision of state and municipal services, respectively, including the registration of a personal data subject portal of state and municipal services and (or) regional portals of state and municipality mortgage services.
5)

Processing of personal data is necessary for the execution of the contract, to which either the subject or personal data is a party or beneficiary, and also to enter into an agreement on the initiative of a personal data subject or a contract for which the subject of personal data will be a beneficiary or surety.
6)

Processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if the consent of the subject of personal data is impossible.
7)

Processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the subject of personal data.
8)

Processing of personal data is necessary for the professional activities of a journalist and (or) the legal activities of the media or scientific, literary or other creative activities, provided that it does not violate the rights and legitimate interests of the subject of personal data.
9)

Processing of personal data is carried out for statistical or other research purposes, subject to the mandatory depersonalization of personal data.
10)

Processing of personal data is carried out, access of an unlimited number of persons to which is provided by the subject of personal data or at his request (hereinafter – personal data made publicly available by the subject of personal data).
11)

Processing of personal data to be published or mandatory disclosure in accordance with federal law.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

18. What are the conditions for the expression of consent?

The subject of personal data decides on the provision of his personal data and agrees to their processing freely, by his own will and in his interest. Consent to the processing of personal data must be specific, informed and conscious. The subject of personal data or his representative in any form allowing confirming the fact of his receipt, unless otherwise established by federal law, may give consent to the processing of personal data. In the case of obtaining consent for the processing of personal data from a representative of the subject of personal data, the authority of the representative to give consent on behalf of the subject of personal data is checked by the operator.

The subject of personal data may withdraw consent to the processing of personal data.

In cases stipulated by federal law, the processing of personal data is carried out only with the consent in writing of the subject of personal data. The written consent on paper is recognized as equivalent to a consent in the form of an electronic document signed in accordance with federal law with an electronic signature.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

The processing of special categories of personal data is considered legal if it is carried out for the following reasons.

The second reason is the processing of publicly available personal data, if the subject of personal data makes them publicly available.

The third reason is the need to process personal data in connection with the implementation of international readmission agreements of the Russian Federation.

The fourth reason is the processing of personal data in accordance with Federal Law No. 8-FZ dated January 25, 2002, “On the All-Russian Population Census”.

The fifth reason is the processing of personal data in accordance with the legislation governing the citizenship of the Russian Federation, insurance legislation, legislation on defence, security, countering terrorism, transport security, countering corruption, criminal investigation executive legislation as well as legislation on state social assistance, labour and pension legislation.

The sixth reason is that the operator carries out personal data activities in the field of the exercise of prosecutorial oversight by prosecution authorities, as well as the administration of justice.

The seventh basis is the processing of special categories of data by certain categories of personal data operators and the purpose of such processing. The following categories of operators were assigned:

State bodies, municipal bodies or organizations for the purpose of arranging children left without parental care for upbringing in families of citizens
Public associations or religious organizations to achieve the legitimate goals provided for by their constituent documents, which are only entitled to process the data of their members
Persons who are professionally engaged in medical activities for medical and preventive purposes, in order to establish a medical diagnosis, the provision of medical and medical-social services

The eighth reason is the need to process personal data in order to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of others.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

20. What are the security requirements for collecting and processing personal data?

Ensuring the security of personal data is achieved, in particular, by:

1)

Identification of threats to the security of personal data when they are processed in personal data information systems
2)

The use of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the performance of which ensures the levels of personal data protection established by the Government of the Russian Federation
3)

The use of the information security measures passed in the prescribed manner
4)

An assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system
5)

Registration of the machine carriers of personal data
6)

Detection of facts of unauthorized access to personal data and taking measures
7)

Recovery of personal data modified or destroyed due to unauthorized access to it
8)

The establishment of rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system
9)

Control over measures taken to ensure the security of personal data and the level of security of personal data information systems

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

There is no such requirement. When collecting personal data, including through the Internet information and telecommunications network, the operator is obliged to ensure the recording, systematization, accumulation, storage, refinement (update, change) and extraction of personal data of citizens of the Russian Federation using databases located in Federation.

Part 5 of Article 18 of the Federal Law “On Personal Data” enshrines the obligation of the operator to ensure the localization of individual processes for the processing of personal data collected from Russian citizens. The provisions of this part came into force on September 1, 2015, and have no analogues in foreign legal orders, in connection with which the issues of their interpretation and correlation with the provisions on cross-border data transfer are of particular relevance. The important role in this is also played by the possibility of blocking the operator’s online resource, which processes personal data of citizens of the Russian Federation in violation of localization requirements.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

22. What are the requirements for transferring data outside the national jurisdiction?

According to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data, a party should not prohibit or condition cross-border personal data flows to the territory of the other party with a special permit, for the sole purpose of protecting privacy.

Nevertheless, each party has the right to deviate from this principle

a)

To the extent that its domestic law includes special rules for certain categories of personal data or automated personal data files because of the nature of the data or these files, unless the rules of the other party provide for the same protection
b)

When a transfer is made from its territory to the territory of a state that is not a party to this Convention, through the territory of the other party, in order to prevent such a transfer, which would bypass the legislation of the party mentioned at the beginning of this paragraph

Cross-border transfer of personal data to the territory of foreign states that are parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data, as well as other foreign states that provide adequate protection of the rights of personal data subjects, may be prohibited or restricted in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens, ensuring the defence of the country and the security of the state.

Roskomnadzor, as an authorized body for the protection of the rights of personal data subjects, approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:

1)

The existence of a written consent of the subject of personal data on the cross-border transfer of his personal data
2)

Stipulated by international treaties of the Russian Federation
3)

Provided for by federal laws, if it is necessary in order to protect the foundations of the constitutional system of the Russian Federation, to ensure the defence of the country and the security of the state, as well as to ensure the safety of a sustainable and safe operation of the transport complex, to protect the interests of the individual, society and the state in the sphere of the transport complex from acts of unlawful interventions
4)

The execution of the contract to which the subject of personal data is party
5)

Protection of life, health and other vital interests of the subject of personal data or other persons when it is impossible to obtain written consent of the subject of personal data.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”; Convention on the protection of individuals in the automated processing of personal data. Concluded in Strasbourg on January 28, 1981 (together with the Amendments to the Convention on the Protection of Individuals with the Automated Processing of Personal Data (CETS No. 108), allowing the accession of the European Communities adopted by the Committee of Ministers in Strasbourg on 15.06.1999).

23. Are data transfer agreements foreseen by the law?

Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in cases provided for by international treaties of the Russian Federation.

At the same time, not only intergovernmental agreements but also intergovernmental agreements and agreements of an interdepartmental nature, both bilateral and multilateral, are considered as international treaties of the Russian Federation.

The above international agreements may not contain the terms “cross-border transmission” and “personal data”; however the content of specific norms of such agreements or agreements as a whole should be directed specifically to actions that are classified by personal data legislation as cross-border data transmission.

The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorized body.

The authorized body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12. 2017) “On personal data”; “Federal Law” On Personal Data “: Scientific and practical commentary” (article by article). Issue 11. Ed. A.A. Priezhzheva. “The Editors of the” Rossiyskaya Gazeta “, 2015.

24. Does the relevant national regulator need to approve the data transfer agreements?

The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorized body.

The authorized body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Unlawful refusal of an official to present to a citizen documents and materials collected in accordance with the established procedure and directly affecting his rights and freedoms of a citizen (Article 140 of the Criminal Code of the Russian Federation).

Source: Who and what is responsible for violation of the law on personal data. Prepared by the experts of the JSC “Consultant Plus” // “Consultant Plus” Legal Reference System, 2019.

Actors

26. What actors are responsible for the implementation of the data protection law?

Administrative responsibility is established for:

Violation of the rules for processing personal data
Failure to perform duties when interacting with a citizen – the subject of personal data
Non-compliance with personal data protection requirements
Failure to perform duties when interacting with Roskomnadzor

Violation of legislation in the field of personal data may entail civil liability in the form of compensation for moral damage, compensation for damages and recovery of a penalty, if it was provided by the contract.

The employee and the employer are liable for violations of personal data laws.

In this case, the employer may be materially liable to their employees.

An employee can be brought both to disciplinary and to material liability if it is his fault in the processing of personal data that violates the legislation in the field of personal data.

There is no special rule on liability for violation of the Personal Data Law in the Criminal Code of the Russian Federation. However, the actions of a person who has violated the rules for working with personal data may form a corpus delicti from among those provided for by the Criminal Code of the Russian Federation.

In particular, criminal liability is established for:

Unlawful collecting or disseminating information about the private life of a person constituting his personal and family secrets, without his consent (Part 1 of Art. 137 of the Criminal Code of the Russian Federation)
Unauthorized access to computer information, which resulted in the destruction, blocking, modification (modification) or copying of information (part 1 of Art. 272 of the Criminal Code of the Russian Federation)

The Federal Service for Supervision in the Field of Communications, Information Technologies and Mass Communications (Roskomnadzor) is a federal executive body responsible for monitoring and supervising the compliance of personal data processing with the requirements of the legislation of the Russian Federation in the field of personal data. The Federal Service for Supervision of Communications, Information Technology and Mass Communications is an authorized federal executive body for the protection of the rights of personal data subjects.

Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 02/28/2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”).

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

The Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications (Roskomnadzor) is under the jurisdiction of the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation. As part of it, the Office for the Protection of Rights of Subjects of Personal Data of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications is formed. It is a structural unit of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications. The department of keeping the register of operators engaged in the processing of personal data, the Department for Control and Supervision of the Processing of Personal Data and the Department of the Legal and Methodological Support. The relevant departments are formed in the 71 territorial body of Roskomnadzor.

Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”) Official Website of Roskomnadzor. URL: <https://pd.rkn.gov.ru/authority/authority-structure/>.

28. What are the powers of the actors responsible for the implementation of the data protection law?

The activity of the control and supervision body aimed at preventing, detecting and stopping the violation by operators of personal data of the requirements of the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it by:

a)

The organization and conduct of scheduled and unscheduled inspections
b)

Taking measures to suppress and (or) eliminate the consequences of the violations found
c)

Control measures without interaction with operators
d)

Measures for the prevention of violations

Within these powers, Roskomnadzor:

Keeps a register of operators engaged in the processing of personal data;
Considers appeals of the subject of personal data about the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes the appropriate decision
Cooperates with the authorities authorized to protect the rights of personal data subjects in foreign countries, in particular the international exchange of information on the protection of the rights of personal data subjects
Annually sends a report on its activities to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”).

2. Consumer Protection

Scope

29. What national laws (or other types of normative acts) regulate consumer protection?

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”

Civil Code of the Russian Federation (Part One) of November 30, 1994 N 51-FZ (as amended on 08/03/2018, entered into force on 01.01.2019)

Civil Code of the Russian Federation (Part Two) dated January 26, 1996 N 14-FZ (as amended on 29.07.2018, entered into force on 30.12.2018)

Civil Code of the Russian Federation (Part Three) dated 26.11.2001 N 146-FZ (as amended on 08/03/2018, entered into force on 01.09.2018)

Civil Code of the Russian Federation (Part Four) dated December 18, 2006 N 230-FZ (as amended on 23.05.2018)

“Consultant Plus” Legal Reference System.

30. Is the country a party of any international consumer protection agreement?

Agreement on the main areas of cooperation of the state members of the Commonwealth of Independent States in the field of consumer protection (concluded in Moscow on January 25, 2000).

Protocol on Amendments to the Agreement on the Main Directions of Cooperation of the States Parties of the Commonwealth of Independent States in the Field of Consumer Protection of January 25, 2000 (Together with the Regulations on the Consultative Council on Consumer Rights Protection of the CIS Member States). Signed in Minsk on May 19, 2011.

“Consultant Plus” Legal Reference System.

31. To whom do consumer protection laws apply?

The subjects of legal relations in the field of consumer protection are citizens who have the intention to order or purchase or ordering, purchasing or using goods (works, services) solely for personal, family, household and other needs not related to entrepreneurial activities, and business entities (organizations regardless of their organizational and legal form, as well as individual entrepreneurs), acting as sellers, manufacturers, performers or importers on consumer market.

Review of the practice of courts hearing cases on consumer protection disputes related to the sale of goods and services (approved by the Presidium of the Supreme Court of the Russian Federation on 17.10.2017).

32. Do the laws apply to foreign entities that do not have physical presence in the country?

At the conclusion of the contract, its parties may select the law to be applied to their rights and obligations under the contract.

The choice of the applicable law to the contract to which the consumer is a party cannot entail depriving an individual (consumer) of his rights protection provided by the mandatory rules of the law of the consumer’s country of residence if the consumer’s counterparty (professional party) operates in the country of place residence of the consumer or by any means directs its activities to the territory of this country or the territory of several countries, including the territory of the country of residence will consume ate, provided that the contract is related to such activity of the professional party.

In the absence of agreement of the parties on the applicable law and in the circumstances specified above, the law of the country of residence of the consumer shall apply to the contract with the participation of the consumer.

The choice of the applicable law to the contract with the participation of the consumer cannot entail depriving the consumer of the protection of his rights provided by the mandatory rules of the country whose law would apply to this contract without the parties’ agreement on the choice of law.

Civil Code of the Russian Federation (part three) dated 26.11.2001 N 146-FZ (as amended on 08/03/2018, entered into force on 01.09.2018).

Definitions

33. How is consumer protection defined?

Consumer protection refers to the relationship between consumers and manufacturers, performers, importers, sellers and owners of aggregators of information about goods (services) in the sale of goods (performance of works, rendering services). The law establishes the rights of consumers to purchase goods (works, services) of adequate quality and safe for life, health, property of consumers and the environment, obtaining information about goods (works, services) and their manufacturers (performers, sellers), owners of information aggregators about goods (services), education, state and public protection of their interests and also determines the mechanism for the realization of these rights.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”.

34. How are consumers defined?

Consumer – a citizen who has the intention to order or purchase or ordering, purchasing or using goods (works, services) solely for personal, family, household and other needs not related to the business.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”.

35. How are providers and producers defined?

Manufacturer – an organization regardless of its organizational and legal form, as well as an individual entrepreneur, producing goods for sale to consumers; contractor – an organization, regardless of its organizational and legal form, as well as an individual entrepreneur performing work or providing services to consumers under a paid agreement; the seller is an organization regardless of its organizational and legal form, as well as an individual entrepreneur who sells goods to consumers under a purchase and sale agreement.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”.

36. Does the law provide any specific definitions with regard to consumer protection in the digital sphere?

Selling goods remotely – selling goods under a retail sale contract concluded on the basis of the buyer’s familiarization with the description of the goods offered by the seller, contained in catalogues, brochures and booklets or presented on photographs or using postal networks, telecommunications networks, including information and telecommunications network “Internet”, as well as communication networks for broadcasting TV channels and (or) radio channels, or in other ways, excluding the possibility of direct familiarization of the buyer with the goods or sample of goods at the conclusion of such a contract.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”. Decree of the Government of the Russian Federation of 27.09. 2007 No. 612 (as amended on 04.10.2012) “On the approval of the Rules for the sale of goods by remote means”.

Rights

37. Is the consumer protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

The legal basis for consumer protection is the Constitution of the Russian Federation, federal laws, regulations of the President of the Russian Federation and the Government of the Russian Federation, as well as the United Nations Guidelines for Consumer Protection adopted by the United Nations General Assembly on December 22, 2015, by Resolution No. 70/186.

According to the Constitution of the Russian Federation, the state protection of the rights and freedoms of man and citizen in the Russian Federation is guaranteed. Everyone has the right to protect their rights and freedoms by all means not prohibited by law. In addition, everyone is guaranteed judicial protection of his rights and freedoms. Decisions and actions (or inaction) of state authorities, local governments, public associations and officials may be appealed in court.

Everyone has the right, in accordance with the international treaties of the Russian Federation, to apply to interstate bodies for the protection of human rights and freedoms if all available domestic remedies have been exhausted.

The Constitution of the Russian Federation (adopted by popular vote on 12/12/1993, as amended by the laws of the Russian Federation on amendments to the Constitution of the Russian Federation of 12/30/2008 N 6-FKZ, of 12/30/2008 N 7-FKZ, of 05.02.2014 N 2-FKZ, dated 07.21.2014 N 11-FKZ). Order of the Government of the Russian Federation of 28.08.2017 N 1837-p on approval of the Strategy of the state policy of the Russian Federation in the field of consumer protection for the period until 2030.

38. What are the rights of the consumer defined by the law with reference to digital good and services?

The consumer has the right to refuse to pay for such works (services), and if they are paid for, the consumer has the right to demand the seller to return the amount paid.

The consumer has the right to refuse the goods at any time before its transfer, and after the transfer of the goods – within 7 days.

If information on the procedure and deadlines for returning goods of good quality was not provided in writing at the time of delivery of the goods, the consumer has the right to refuse the goods within 3 months from the moment of transfer of the goods.

If there are defects in the goods for which no warranty or expiration dates have been established, the consumer has the right to make demands regarding the defects of the goods within a reasonable time, but within 2 years from the date of transfer to the buyer, if law or contract does not establish longer periods.

The consumer also has the right to make claims to the seller regarding the defects of the goods, if they are found during the warranty period or shelf life.

The consumer to whom the product of inadequate quality is sold, if this has not been stipulated by the seller, has the right to demand at its choice:

a)

Free elimination of defects in the goods or reimbursement of the costs of their correction by the buyer or a third party.
b)

A commensurate reduction in the purchase price.
c)

Replacement for a product of a similar brand (model, article) or for the same product of another brand (model, article) with a corresponding recalculation of the purchase price. At the same time with respect to technically complex and expensive goods, these requirements of the buyer are subject to satisfaction in case of detection of significant shortcomings.

The consumer has the right to refuse to perform the contract and to demand the return of the amount paid for the goods. At the request of the seller and at his expense, the consumer must return the goods with defects.

The consumer also has the right to demand full compensation for damages caused to him because of the sale of goods of inadequate quality. Losses are reimbursed in the terms established by law to meet the relevant requirements of the buyer.

If the seller refuses to transfer the goods, the consumer has the right to refuse to perform the contract and demand compensation for the losses caused.

The consumer is not entitled to refuse the goods of good quality, which has individually defined properties, if exclusively the consumer acquiring it can use the specified goods.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”. Decree of the Government of the Russian Federation of September 27, 2007 No. 612 (as amended on 04.10.2012) “On the approval of the Rules for the sale of goods by remote means”.

39. Is consumer protection law applicable to users of zero price service, i.e. free of charges?

In the case of a consumer acquiring digital content within the framework of free online services, the Law on Consumer Protection does not apply, which follows from the definition of “performer” – an organization regardless of its organizational and legal form, as well as an individual entrepreneur performing work or providing services to consumers on paid agreement.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”. Saveliev A.I. Electronic commerce in Russia and abroad: legal regulation. Second ed. M.: Statute, 2016. 640 p.

Obligations and Sanctions

40. Does the law establish specific security requirements to provide digital services or goods?

The consumer has the right to ensure that the product (work, service) under normal conditions of its use, storage, transportation and disposal is safe for the life, health of the consumer and the environment and does not harm the property of the consumer. Requirements that must ensure the safety of a product (work, service) for the life and health of the consumer and the environment and the prevention of harm to the property of the consumer are mandatory and are established by law or in the manner prescribed by it.

The manufacturer (performer) is obliged to ensure the safety of the goods (work) during the established service life or shelf life of the goods (work).

If the manufacturer (performer) has not established a service life for the goods (work), he is obliged to ensure the safety of the goods (work) within 10 years from the day the goods (work) are transferred to the consumer.

Harm caused to the life, health or property of the consumer due to failure to ensure the safety of the goods (work) is refundable.

If for the safety of using a product (work, service), its storage, transportation and disposal it is necessary to observe special rules, the manufacturer (contractor) is obliged to indicate these rules in the accompanying documentation for the goods (work, service), on the label, marking or otherwise, and the seller (performer) is obliged to bring these rules to the attention of the consumer.

If, for goods (works, services), the law or in the procedure established by it establishes mandatory requirements ensuring their safety for the life, health of the consumer and the environment and preventing harm to the consumer’s property, the conformity of goods (works, services) with these requirements is subject to mandatory confirmation stipulated by law and other legal acts.

Sale of goods (performance of work, provision of services), including imported goods (work, services), without information about the mandatory confirmation of its compliance with safety requirements, is not allowed.

If it is established that, if the consumer complies with the established rules for using, storing or transporting the goods (work), he causes or may harm the life, health and property of the consumer and the environment, the manufacturer (performer, seller) is obliged to immediately suspend its production (sale) until it is eliminated causes of harm and, if necessary, take measures to remove it from circulation and recall it from the consumer(s).

If the causes of harm cannot be eliminated, the manufacturer (performer) is obliged to remove such goods (work, service) from production. If the manufacturer (executor) fails to fulfil this obligation, the authorized federal executive body takes measures to recall such goods (work, services) from the domestic market and (or) from consumers or consumers in the manner prescribed by the legislation of the Russian Federation.

Losses caused to the consumer in connection with the recall of the goods (work, services) are subject to compensation by the manufacturer (performer) in full.

The following goods shall be recognized as not meeting the requirements of safety of life and health of consumers: a) for which a refusal to issue a certificate of conformity to the safety requirements specified in the standards was received; b) certification for compliance with the established safety requirements for such goods that has not passed; and c) with an unspecified expiration date and with unspecified special rules for safe use, storage, transportation and disposal.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”. Commentary to the Criminal Code of the Russian Federation: in 4 tons (itemized)/A.V. Brilliantov, A.V. Galakhov, V.A. Davydov et al.; rep. ed. V.M. Lebedev. M.: Yurayt, 2017. V. 3: The special part. Section IX. 298 p.

41. What are the sanctions and remedies foreseen by the law for now complying with the obligations?

For violation of consumer rights established by laws and other regulatory legal acts of the Russian Federation, the seller (performer, manufacturer, authorized organization or authorized individual entrepreneur, importer) bears administrative, criminal or civil liability in accordance with the legislation of the Russian Federation.

Administrative responsibility is provided for the sale of goods, the performance of work or the provision of services to the population of inadequate quality or in violation of the requirements established by the legislation of the Russian Federation, as well as in the absence of established information. It also provides for administrative liability for consumer fraud, violation of other consumer rights and violation of the rules for the sale of certain types of goods.

Criminal liability is provided for violation of sanitary and epidemiological rules, production, storage, transportation or sale of goods and products, performance of work or provision of services that do not meet safety requirements, as well as for the circulation of counterfeit, substandard and unregistered medicines, medical products and trafficking in biologically active additives.

Civil liability for violation of consumer protection laws is established in the form of compensation for damages; compensation for harm caused by deficiencies in goods, works or services; and in the form of compensation for moral harm.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”. Code of the Russian Federation on Administrative Offenses dated December 30, 2001 No. 195-FZ (as amended on May 01, 2019). Criminal Code of the Russian Federation of 13.06.1996 N 63-FZ (as amended on 04.23.2019). Civil Code of the Russian Federation (Part One) of 30.11.1994 N 51-FZ (as amended on 03.08.2018, as amended and added, took effect from 01.01.2019). The Civil Code of the Russian Federation (Part Two) dated January 26, 1996 N 14-FZ (as amended on 07/29/2018, as amended and added, entered into force on December 30, 2018).

Actors

42. What bodies are responsible for the implementation of the consumer protection law?

Federal state supervision in the field of consumer rights protection is carried out by an authorized federal executive body in this area.

The highest executive body of state power of the relevant subject of the Russian Federation takes measures to implement, ensure and protect the rights of consumers and within its authority.

Consumer protection on the territory of the municipal entity is carried out by local authorities.

Citizens have the right to unite on a voluntary basis into public associations of consumers (their associations, unions), which carry out their activities in accordance with the charters of these associations (their associations, unions) and the legislation of the Russian Federation.

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”.

43. Is there a specific consumer protection body? If so, what is its administrative structure?

Federal state supervision in the field of consumer protection is carried out by the Federal Service for Supervision of Consumer Rights Protection and Human Welfare.

The Federal Service for Supervision of Consumer Rights Protection and Human Welfare is headed by a leader appointed to office and dismissed by the Government of the Russian Federation.

The head of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare is the chief state sanitary doctor of the Russian Federation.

The head of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare is personally responsible for the implementation of the functions assigned to the Service.

The head of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare has deputies appointed to office and dismissed from office by the Government of the Russian Federation on the proposal of the head of the Service.

The deputy heads of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare, performing the functions of organizing and implementing federal state sanitary and epidemiological supervision, are deputy chief state sanitary doctor of the Russian Federation.

The number of deputy heads of the Federal Service for Supervision of Consumer Rights Protection and Human Welfare is established by the Government of the Russian Federation.

Decree of the Government of the Russian Federation of 02.05.2012 N 412 (ed. of 14.12.2018) “On approval of the Regulation on federal state supervision in the field of consumer rights protection”.

Decree of the Government of the Russian Federation of 30.06.2004, N 322 (as amended on 26.03.2019) “On the approval of the Regulations on the Federal Service for Supervision of Consumer Rights Protection and Human Welfare”.

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

1)

Organizing and conducting inspections of compliance by manufacturers (performers, sellers, authorized organizations or authorized individual entrepreneurs, importers, owners of aggregators) with the requirements established by international treaties of the Russian Federation, the Law on Consumer Protection, other federal laws and other regulatory legal acts of the Russian Federation, regulating relations in the field of consumer rights protection and regulations of officials of the state supervision body
2)

Organizing and conducting inspections of the conformity of goods (works, services) to mandatory requirements ensuring the safety of goods (works, services) for the life and health of consumers and the environment, preventing actions that mislead consumers and preventing harm to consumers’ property set forth in compliance with international treaties of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation
3)

Applying, in accordance with the procedure established by the legislation of the Russian Federation, preventive measures for violating mandatory requirements and issuing orders to terminate violations of consumer rights, to terminate violations of mandatory requirements, to eliminate identified violations of mandatory requirements and to bring to justice the persons who committed such violations
4)

Systematic observation of the fulfilment of mandatory requirements, analysis and forecasting of the state of fulfilment of mandatory requirements when manufacturers (performers, sellers, authorized organizations or authorized individual entrepreneurs, importers, owners of aggregators) carry out their activities
5)

Statistical observation in the field of consumer protection, accounting and analysis of cases of harm to life and health of consumers, the environment and property of consumers associated with the acquisition and use of goods (works, services) with disabilities and hazardous goods (works, services) or with providing consumers with untimely, incomplete, unreliable and misleading information about goods (works, services)
6)

The annual analysis and evaluation of the effectiveness of federal state supervision in the field of consumer protection
7)

Annual preparation of state reports on the protection of consumer rights in the Russian Federation in the manner established by the Government of the Russian Federation

Law of the Russian Federation of 07.02.1992 N 2300–1 (as amended on 18.03.2019) “On Protection of Consumer Rights”.

3. Cybercrime

Scope

45. What national laws (or other types of normative acts) regulate cybercrime?

Chapter 28 “Crimes in the field of computer information” of the Criminal Code of the Russian Federation

Criminal legislation of the Russian Federation consists of only the Criminal Code of the Russian Federation. New laws providing for criminal liability are subject to inclusion in this Code.

Criminal Code of the Russian Federation of 13.06.1996 N 63-FZ (as amended on 23.04.2019).

46. Is the country a part of any international cybercrime agreement?

The Russian Federation is a party to the Agreement on Cooperation of the Member States of the Commonwealth of Independent States in Combating Computer Information Offenses (concluded in Minsk on 06/06/2001). The Russian Federation ratified the Agreement with the following reservation: “The Russian Federation reserves the right to refuse execution of the request, in whole or in part, if the execution of the request is likely to prejudice its sovereignty or security”.

Federal law of 01.10.2008 N 164-ФЗ “On ratification of the Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information”. Order of the President of the Russian Federation of 15.11.2005 N 557-rp “On the signing of the Convention on Cybercrime”. Order of the President of the Russian Federation of March 22, 2008 No. 144-rp “On declaring the decree of the President of the Russian Federation of November 15, 2005 No. 557-rp” On Signing the Convention on Cybercrime “invalid.

47. What cybercrimes are regulated?

a)

Implementation of unauthorized access to computer-protected information by law, if this act resulted in the destruction, blocking, modification or copying of information and disruption of the operation of a computer, computer system or their network
b)

The creation, use or distribution of malicious programs
c)

Violation of the rules of operation of a computer, computer system or their network by a person having access to a computer, computer system or their network, resulting in the destruction, blocking or modification of information protected by law of a computer, if this act caused significant harm or serious consequences
d)

Illegal use of computer programs and databases that are objects of copyright, as well as the assignment of authorship, if this act has caused significant damage

Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (concluded in Minsk 01.06.2001).

48. To whom do the laws apply?

An individual may be subject to a crime and criminal liability, if he has the minimum necessary set of features: has reached the legal age and is sane. These signs are mandatory to establish the responsibility of all persons involved in the crime – the performers, organizers, instigators and collaborators. Criminal liability comes as a rule from the age of 16.

Commentary to the Criminal Code of the Russian Federation: in 4 volumes (itemized)/A.V. Brilliantov, A.V. Galakhova, V.A. Davydov et al.; ed. by V.M. Lebedev. M.: Yurayt, 2017. T. 1: General part. 316 p.

Definitions

49. Do the laws apply to foreign entities that do not have physical presence in the country?

Foreign citizens and stateless persons who are not permanently residing in the Russian Federation who have committed a crime outside the Russian Federation are subject to criminal liability under this Code in cases where the crime is directed against the interests of the Russian Federation or a citizen of the Russian Federation or a stateless person residing in the Russian Federation as well as in cases stipulated by an international treaty of the Russian Federation or another document of an international character, containing liabilities recognized by the Russian Federation.

Criminal Code of the Russian Federation of 13.06.1996 N 63-FZ (as amended on 23.04.2019).

50. How is cybercrime generally defined by the national law?

In the legislation, there is no definition of a group of crimes; only individual crimes are defined. Computer-related crimes are defined as socially dangerous acts under criminal law that cause harm or create a danger of harm to the safety of the production, storage, use or dissemination of information or information resources.

Criminal Code of the Russian Federation of 13.06.1996 N 63-FZ (as amended on 23.04.2019).

51. What are the cybercrimes provided for by the law and how are they defined?

Unauthorized access to protected computer information or unauthorized use of the possibility of obtaining computer information by the owner or another of its legal owners is unlawful.

Creation, distribution or use of computer programs or other computer information, which are intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of computer information protection tools.

Violation of the rules for the use of storage, processing or transmission of protected computer information or information and telecommunication networks and terminal equipment, as well as rules for access to information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, which caused major damage.

Creation, distribution and (or) use of computer programs or other computer information, which are intended to improperly influence the critical information infrastructure of the Russian Federation, including for destroying, blocking, modifying and copying the information contained in it or neutralizing the means of protecting this information.

Unauthorized access to protected computer information contained in the critical information infrastructure of the Russian Federation, including using computer programs or other computer information that are deliberately intended to improperly affect the critical information infrastructure of the Russian Federation, or other malicious computer programs, if it entailed causing damage to the critical information infrastructure of the Russian Federation.

Violation of the rules for the operation of the storage, processing or transmission of protected computer information contained in the critical information infrastructure of the Russian Federation, or information systems, information and telecommunication networks, automated control systems and telecommunication networks relating to the critical information infrastructure of the Russian Federation, or the rules for access to these information, information systems, information and telecommunication networks, automated systems management and telecommunication networks, if it resulted in damage to the critical information infrastructure of the Russian Federation.

Criminal law of Russia. General and Special parts: textbook / A.A. Aryamov, TB Basova, E.V. Blagov et al.; ed. by Yu.V. Gracheva, A.I. Chuchaev. M.: CONTRACT, 2017. 384 p.

52. How is a computer system defined?

Information system is a set of information contained in databases and information technologies and technical means ensuring its processing.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

54. How are computer data defined?

Computer information refers to information (messages, data) presented in the form of electrical signals, regardless of their means of storage, processing and transmission.

Criminal Code of the Russian Federation of 13.06.1996 N 63-FZ (as amended on 23.04.2019).

55. How are forensic data defined?

Judicial computer-technical expertise is an independent type of forensic examinations conducted to determine the status of an object as a computer tool, determine its role in an investigated crime and access information on electronic media with its subsequent comprehensive investigation.

Letter of the Federal Bailiff Service of Russia dated September 18, 2014 No. 00043/14/56151-BB “On Methodological Recommendations” (together with the “Methodological Recommendations on the Order of Appointment and Proceeding of Legal Expertise in Pre-Investigation and Investigation of Crimes Subject to the Federal Bailiff Service” approved by the FBS of Russia 15.09.2014 N 0004/22).

56. How are service providers defined?

Hosting provider – a person providing services for the provision of computing power for placing information in an information system that is constantly connected to the Internet.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

57. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

The destruction of information is the reduction of information or its part into an unusable state, regardless of the possibility of its recovery. The destruction of information is not the renaming of the file where it is contained, as well as the automatic “wipe out” of the old versions of the files by the latest.

Blocking information is the result of exposure to computer information or equipment, the consequence of which is the impossibility for some time or to constantly perform the required operations on computer information completely or in the required mode, that is, performing actions that lead to restriction or closure of access to computer equipment and resources and the obstruction of the access of legitimate users to computer information not related to its destruction.

Information modification – making changes to computer information (or its parameters).

Copying information – creating a copy of existing information on another medium, that is, transferring information to a separate carrier while maintaining the original information unchanged, reproducing information in any material form – by hand, photographing text from the display screen, as well as reading the information by any interception of information, etc.

A computer program is an objective form of representing a set of data and commands intended for the functioning of a computer device in order to obtain a certain result.

Creation of programs is an activity aimed at developing and preparing programs that are capable of unauthorized destruction, blocking, modifying and copying of computer information or neutralizing computer information protection tools.

The distribution of such programs means the provision of access to any unauthorized person in any of the possible ways, including selling, renting and sending free of charge via the electronic network, that is, any actions to provide access to the program via network or other means.

Using the program is working with the program, applying it for its intended purpose and other actions to introduce it into economic circulation in its original or modified form. Under the use of malicious programs refers to their use (by any person), in which their harmful properties are activated.

Guidelines for the implementation of prosecutorial supervision over the implementation of laws in the investigation of crimes in the field of computer information (approved by the Prosecutor General’s Office of Russia).

Rights

58. Is the cybercrime law based on fundamental rights (defined in Constitutional law or International binding documents)?

The provision on its highest legal force enshrined in the Constitution of the Russian Federation means that all constitutional norms have the supremacy over laws and other regulatory legal acts.

In accordance with Art. 18 of the Constitution of the Russian Federation, the rights and freedoms of a person and a citizen are directly applicable. They determine the meaning, content and application of laws, the activities of the legislative and executive authorities and local self-government and are ensured by justice.

Generally recognized principles and norms of international law enshrined in international covenants, conventions and other documents (in particular, the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights) and international treaties of the Russian Federation are in accordance with Part 4 of Art. 15 of the Constitution of the Russian Federation an integral part of its legal system. The same constitutional norm determines that if an international treaty of the Russian Federation establishes other rules than those provided by law, then the rules of the international treaty apply.

Taking this into account, the court does not have the right to apply the norms of the law regulating the legal relations that arose, if an international agreement entered into force for the Russian Federation, the decision on consent to which the Russian Federation was made in the form of federal law, establishes other rules than those provided by law, in these cases, the rules of the international treaty of the Russian Federation.

Constitution of the Russian Federation (adopted by popular vote on 12.12.1993, with the amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation of 30.12.2008 No. 6-FKZ, of 30.12.2008 No. 7-FKZ, of 02.05.2014 N 2-FKZ, of 21.07.2014 N 11-FKZ). Resolution of the Plenum of the Supreme Court of the Russian Federation of October 31, 1995 N 8 (ed. 03/03/2015) “On some issues of the application by courts of the Constitution of the Russian Federation in the administration of justice”.

59. What are the rights of the victim and the accused?

The most significant rights granted to a victim are the following:

1)

To know about the accusation against the accused.
2)

To testify.
3)

To get acquainted with the decision on the appointment of a forensic examination and with the expert opinion.
4)

The special right of victims is the receipt of copies of the procedural and judicial acts of the criminal case.
5)

To know about complaints and representations brought in a criminal case and to file objections to them.
6)

The victim’s special right is his participation in the court hearing.

Everyone charged with a criminal offence is presumed innocent until his guilt is established by law.

Everyone charged with a criminal offence has at least the following rights:

a)

To be immediately and in detail notified in a language understandable to him of the nature and cause of the accusation against him
b)

To have adequate time and facilities for the preparation of his defence
c)

To defend himself personally or through a defender chosen by him or, with a lack of funds to pay for counsel, to use the services of his appointed defender for free when the interests of justice so require
d)

To interrogate witnesses who testify against him or have the right to be interrogated by these witnesses and have the right to call and interrogate witnesses in his favour under the same conditions as for witnesses against him
e)

To use the free help of a translator if he does not understand the language used in court or does not speak that language

The Criminal Procedure Code of the Russian Federation has significantly expanded the rights of the victim of a crime, making it a more active participant in the criminal process. However, analysis of legislation and law enforcement practice shows that, in Russia, victims both legally and in fact are in a disadvantaged position; the level of legal protection of the victim is significantly lower than the suspect and the accused. The constitutional principle of legal proceedings on the basis of adversarial and equal rights of the parties implies parity of the rights of the victim and the accused (suspect) as parties to the criminal dispute.

G.I. Zagorsky. M.: Prospect, 2016. 1216 p. “Convention for the Protection of Human Rights and Fundamental Freedoms” (concluded in the city of Rome on November 4, 1950, as amended on May 13, 2004). Smirnova I.S. Asymmetry of the rights of the victim and the accused (suspect) // Bulletin of the Omsk Law Academy. 2016. N 2. P. 59–62.

Procedures

60. Is there a specific procedure to identify, analyse, relate, categorize, assess and establish causes associated with forensic data regarding cybercrimes?

The objects of the study of forensic computer technical expertise are computing equipment, software products and information objects. In this regard, within the framework of this forensic examination, hardware-computer, software-computer and information-computer research can be conducted.

The purpose of software and computer research is to study the functional purpose, characteristics, structural features and the current state of the computer system software presented for the study.

Information-computer research is key in the production of forensic computer-technical expertise, as it allows you to complete the holistic construction of the evidence base by final resolution of most issues related to computer information.

The main objectives of this study are the search, detection, analysis and evaluation of information prepared by the user or created by programs for organizing information processes in a computer system.

The production of information and computer research in the framework of computer-technical expertise can distinguish the following tasks:

Establishing the properties and type of information presented in a computer system when it is used directly
Determination of the actual state of information
Establishing the initial state of information on the data carrier
Determination of time, chronological sequence of impact on information
Determination of conditions for changing the properties of the studied information

00043/14/56151-BB “On Methodological Recommendations” (together with the “Methodological Recommendations on the Order of Appointment and Proceeding of Legal Expertise in Pre-Investigation and Investigation of Crimes Subject to the Federal Bailiff Service” approved by the FBS of Russia 15.09.2014 N 0004/22). Order of the FSS of Russia of 23.06.2011 N 277 (ed. 04.12.2017) “On the organisation of the production of forensic examinations in expert divisions of the federal security service” (together with the “Instructions on the organisation of the production of forensic examinations in expert divisions of the federal security service”).

61. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

The parties within the framework of this Agreement on cooperation of the state members of the Commonwealth of Independent States in the fight against crimes in the field of computer information shall cooperate in the following forms:

a)

The exchange of information, including:

On upcoming or committed crimes in the field of computer information and individuals and legal entities involved in them; on the forms and methods of prevention, detection, suppression, detection and investigation of crimes in this area; on methods of committing crimes in the field of computer information; on national legislation and international treaties governing the prevention, detection, suppression, disclosure and investigation of crimes in the field of computer information
b)

The execution of requests for operational investigations, as well as legal proceedings in accordance with international treaties on legal assistance
c)

Planning and conducting coordinated activities and operations for the prevention, detection, suppression, disclosure and investigation of crimes in the field of computer information
d)

Assisting in the training and professional development of personnel, including through the training of specialists, the organization of conferences, seminars and training courses
e)

Creation of information systems ensuring the fulfilment of tasks for the prevention, detection, suppression, disclosure and investigation of crimes in the sphere of computer information
f)

Conducting joint scientific research on issues of mutual interest in combating computer-related crime
g)

The exchange of regulatory legal acts and scientific and technical literature on the fight against crimes in the field of computer information
h)

In other mutually acceptable forms

In accordance with a number of agreements on legal assistance in criminal matters, in cases that are not delayed, requests may be sent directly by the competent authorities of the requesting state to the competent authorities of the Russian Federation, including through Interpol. In this case, a copy of the order is simultaneously transmitted to the relevant central competent authority.

Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (Concluded in Minsk 01.06.2001). UNODC Cybercrime Repository. URL: <https://sherloc.unodc.org/cld/lessons-learned/rus/specific_channels_for_urgent_requests_for_mla_in_cybercrime_cases.html?&tmpl=cyb

62. Are there any exceptions to the use of mutual legal assistance procedure to investigate the crime?

The law does not address this question. According to the European Convention on Mutual Legal Assistance in Criminal Matters, assistance may be refused:

a)

If the request concerns an offence which the requested party considers a political offence, an offence connected with a political offence or a financial offence
b)

If the requested party considers that the execution of the request may prejudice sovereignty, security, public order or other essential interests of its country

The execution of a request under the Agreement on Cooperation of the States Parties of the Commonwealth of Independent States in the Fight against Computer Crime Offenses can be denied in full or in part if the requested party believes that its execution is contrary to its national law.

The requesting party shall be notified in writing of the complete or partial refusal to execute the request, indicating the reasons for refusal.

European Convention on Mutual Legal Assistance in Criminal Matters (ETS N 30) Concluded in the city of Strasbourg 04/20/1959, as amended on 08.11.2001). Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (concluded in Minsk 01.06.2001

63. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

The organizer of information dissemination in the Internet is obliged to store in the territory of the Russian Federation:

1)

Information on the facts of reception, transmission, delivery and (or) processing of voice information, written text, images, sounds, video or other electronic messages of Internet users and information about these users within 1 year from the end of the implementation of such action
2)

Text messages of Internet users, voice information, images, sounds, video and other electronic messages of Internet users up to 6 months from the moment they have finished receiving, transmitting, delivering and (or) processing

The organizer of the dissemination of information on the Internet is obliged to provide relevant information to authorized state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation in cases established by federal laws.

The organizer of the dissemination of information on the Internet is obliged to ensure the implementation of the requirements for equipment and software and hardware used by the specified organizer in the field of communication established by the federal executive body in the field of communications in coordination with the authorized state bodies carrying out operational and investigative activities information systems operated by him, for these bodies to conduct in cases established by the federal bubbled laws and measures in order to implement the tasks assigned to them and to take measures to prevent the disclosure of organizational and tactical methods of carrying out these activities.

In order to counteract the use in the Russian Federation of software and hardware access to information resources, information and telecommunication networks, access to which is restricted, the federal executive body that performs the functions of control and supervision in the field of media, mass communications, information technology and communication:

1)

Carries out the creation and operation of a federal state information system containing a list of information resources, information and telecommunication networks, access to which is restricted in the territory of the Russian Federation
2)

In accordance with the procedure established by the Government of the Russian Federation, interacts with federal executive bodies carrying out operational investigative activities or ensuring the security of the Russian Federation in order to obtain information about software and hardware access to information resources, information and telecommunication networks, access to which limited
3)

On the basis of a request from the federal executive body carrying out operational investigative activities or ensuring the security of the Russian Federation, determines the hosting provider or other person who provides the placement on the Internet of software and hardware access to information resources, information and telecommunication networks, access to which is limited
4)

Sends a notification to the hosting provider in electronic form in Russian and English about the need to provide data to identify the owner of the corresponding software and hardware
5)

Fixes the date and time of sending the notification in the federal state information system of information resources, information and telecommunication networks, access to which is restricted

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

Obligations and Sanctions

64. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

In exceptional cases related to the proceedings in another criminal, civil or administrative case, information about the protected person may be submitted to the preliminary investigation authorities, the prosecutor’s office or the court based on the written request of the prosecutor or the court (judge) with the permission of the authority that made the decision protection.

The procedure for implementing security measures in the form of ensuring the confidentiality of information about a protected person is established by the Government of the Russian Federation.

Federal law of 20.08.2004 N 119-FZ (as amended on 07.02.2017) “On state protection of victims, witnesses and other participants in criminal proceedings”.

65. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

The prosecution authorities carry out prosecutorial supervision at the stage of initiating criminal proceedings for crimes in the sphere of computer information, as well as for investigating crimes in the sphere of computer information.

The prosecutor must carefully check the legality of the initiation of criminal cases and evaluate the submitted materials.

Studying the submitted materials, the prosecutor must make sure that the facts stated in statements, materials of the departmental and other verification of the violation of the integrity (confidentiality) of information in the computer system network are objectively confirmed – about the presence of a causal link between the illegal actions and the consequences provided for by the disposition of Art. 272 and 274 of the Criminal Code of the Russian Federation, in the form of copying, destruction, modification and blocking of information (to initiate a criminal case under Article 273 of the Criminal Code of the Russian Federation, the onset of such consequences is not necessary), and about the preliminary amount of damage caused by criminal acts.

The supervising prosecutor needs to verify the completeness of the materials, the legitimacy of their receipt and subsequent submission to the investigating authority.

Given the complexity of investigating computer-related crimes, the low qualifications of investigators, the need to use special knowledge in investigations and prosecutorial oversight of investigating these crimes should be carried out throughout the entire period of investigation.

Given the characteristics of the category of crimes under consideration, the prosecutor should carefully examine the evidence gathered during the preliminary investigation, which should be fully established by all the circumstances provided for in Art. 73 Code of Criminal Procedure. At the same time, as noted earlier, the composition of the crimes provided for by Chapter 28 of the Criminal Code of the Russian Federation, in addition to the main features of a crime, determines the causal link between the act and the consequences.

Studying a criminal case during the investigation, the prosecutor must establish whether these expert opinions fully answer the questions put by the investigator, whether all the necessary questions are put to the expert and whether the information contained in the expert’s opinion is enough to confirm the circumstances of the crime. Undoubtedly, the supervising prosecutor should have special knowledge of the types of forensic examinations conducted in criminal cases of this category and give appropriate recommendations to the head of the investigative body.

If the prosecutor reveals a violation that has already been committed during the preliminary investigation, he must use the powers granted to him by the Criminal Procedure Code of the Russian Federation and make a request to eliminate the violations committed during the preliminary investigation.

In accordance with Art. 221 of the Criminal Procedural Code of the Russian Federation, the prosecutor or his deputy must consider the received criminal case within a period not exceeding 10 days and take one of the following decisions:

On the approval of the indictment and the direction of the criminal case to the court
On the return of the criminal case to the investigator for additional investigation, changing the scope of the prosecution or qualifying the actions of the accused or re-drafting the indictment and eliminating the identified deficiencies with their written instructions
On the direction of the criminal case to a higher prosecutor for the approval of the indictment, if it is subject to the jurisdiction of the higher court

The prosecutor in accordance with paragraph. 2 h. 1 Article 221 of the Code of Criminal Procedure has the right to return the criminal case to the investigator for additional investigation, changing the scope of the prosecution or qualifying the actions of the accused or reconsidering the indictment and eliminating the identified deficiencies with their written instructions. Currently, the court does not have such a right, but it can return the criminal case to the prosecutor, if there are grounds provided for by Art. 237 Code of Criminal Procedure, which, as a rule, testifies to inadequate prosecutor’s supervision over the course of the preliminary investigation.

The hosting provider is obliged to provide data that allows identifying the owner of the news aggregator or audio-visual service.

The hosting provider is obliged to notify the site owner serviced by him on the Internet about the need to remove a web page containing information whose distribution in the Russian Federation is prohibited.

If information is found in information and telecommunication networks, including the Internet, expressing in an indecent form that offends human dignity and public morality, obvious disrespect for society, the state, official state symbols of the Russian Federation, the Constitution of the Russian Federation or to the authorities exercising state power in the Russian Federation, the hosting provider is obliged to inform the information resource owner that they serve ask him to immediately remove such information.

In case of failure or inaction of the owner of an information resource, the hosting provider is obliged to limit access to the relevant information resource immediately after the expiration of the day from the date of receipt of the notification about it.

The hosting provider is obliged to limit access to the information resource that disseminates information that violates copyright and related rights no later than the expiration of three working days from the date of receipt of the relevant notice.

Within one working day from the date of receipt from Roskomnadzor of a notice of cancellation of measures to restrict access to an information resource, the hosting provider is obliged to inform the owner of the information resource and notify about the possibility of lifting the access restriction.

In the case of detection in information and telecommunication networks, including the Internet, the information disseminated in violation of the law, i.e. containing calls for mass riots, extremist activities, participation in mass (public) events held in violation of the established procedure, inaccurate socially important information distributed under the guise of reliable messages, which creates a threat of harm to life and/or citizens’ health and property, the threat of mass violation of public order and (or) public safety or the threat of interfering with the functioning or termination of the functioning of life transport or social infrastructure, credit organizations, energy facilities, industry or communications, information materials of a foreign or international non-governmental organization whose activity is considered undesirable in the territory of the Russian Federation, the hosting provider is obliged to inform the hosting provider about the information owner of the information resource served by them and notify him of the need to immediately remove unlawfully distributed information.

The hosting provider is obliged to notify the owner of the information resource serviced by him about the need to immediately take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data or take measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

At the request of Roskomnadzor, the hosting provider is obliged to provide data allowing identification of the owner of software and hardware access to information resources, information and telecommunication networks, access to which is restricted.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

66. Does the law impose any obligations on service providers in connection with cybercrime?